<div dir="ltr">Right, you don't want to be just regenerating all of the certs on a non-mixed-mode cluster with CTL.<div><br></div><div>For what to do in that situation, it depends on if the LSCs are already expired or not. If you still have time, just get the certs updated and re-issue new LSCs using CAPF. If the phones are already unregistered, you can do the same thing or change the security profiles to non-secure like you mentioned to get you to a maintenance window.</div><div><br></div><div>Any time you regenerate a CallManager/CAPF/TVS certificate on any node in 8.6 and above, all phones will reset so be aware of that since your secure phones will then try to re-register right then and won't be able to until you finish the whole process of updating the certs and pushing new LSCs.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 4, 2015 at 1:42 PM, Ryan Ratliff (rratliff) <span dir="ltr"><<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>Turning off security would get the phones registered but if you regen all your certs at the same time you will strand your phones on an ITL that can't be updated. If you have CTLs signed by etokens you will probably be ok one you rerun the CTL client. </div>
<div><br>
</div>
<div>This is why you configure certificate notification and act on it. Do your CallManager cert in one maint window, make sure your phones all reset and update their ITLs. Then do tomcat and the rest.</div>
<div><br>
</div>
<div>Ryan </div>
<div><br>
Sent from my iPhone</div><div><div class="h5">
<div><br>
On May 4, 2015, at 1:16 PM, Justin Steinberg <<a href="mailto:jsteinberg@gmail.com" target="_blank">jsteinberg@gmail.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">brian - if you find yourself in this situation, how do you fix it ? turn off the security profile on the phone so it is no longer required to authentication and then update the phone certs and re-enable the security profile ?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, May 4, 2015 at 12:44 PM, Brian Meade <span dir="ltr">
<<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Nothing really stops working besides certificate warnings in the browser. The phones don't check validity dates. Only issue with a secure cluster is the CAPF on the publisher expiring since it signed all of the LSCs on the phones. CallManager
service will care about those being expired and they won't be able to re-register if they are reset.
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On Mon, May 4, 2015 at 11:09 AM, Reto Gassmann <span dir="ltr"><<a href="mailto:voip@mrga.ch" target="_blank">voip@mrga.ch</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">Hello Group</span></font>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)"><br>
</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">I am just curious what happens, when certificates on an CUCM cluster expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS server.</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)"><br>
</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">What happens if one or all of the following certificates expire: CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust certificates.</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)"><br>
</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">Will the UCM cluster stop working, DB replication issues or will I have error messages on the phones?</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)"><br>
</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">Thanks for your thoughts</span></font></div>
<div><font size="2"><span style="background-color:rgba(255,255,255,0)">Regards Reto</span></font></div>
<br>
</div>
</div>
<span>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</span></blockquote>
</div>
<br>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a></span><br>
<span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br>
</div>
</blockquote>
</div></div></div>
</blockquote></div><br></div>